Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2019-03-24 22:16:16
- Eloff
- Contributor
- Registered: 2019-02-08
- Posts: 6
Simulation of 1K mifare tag not works with smartphone
Smartphone not communicates correctly with simulated by proxmark 1K Mifare classic tag (hf mf sim u 1efb6c54).
After succeed authenticate to sector with valid key, smartphone resets communication with diagnose "Tag was lost". This shows trace #1.
There are some traces to analytics. Trace #2 and #4 shows communication between really tag and smartphone/ACR122 reader - it is work correctly.
Trace #3 shows corrected communication between simulated tag and ACR122 reader.
As you might seen, really tag sends answer
*AUTH: at (enc)*
without parity. This correctly work with any readers.
Proxmark 1K tag simulator sends answer
*AUTH: at (enc)*
with parity. This correctly works only with ACR122 reader and not works with smartphone.
Any ideas?
Trace #1. Simulation Mifare 1K Classic by Proxmark. Try to read block 0 by smartphone (sony xperia) with valid key FF FF FF FF FF FF
3103814 | 3108582 | Rdr |50 00 57 cd | | HALT
3147228 | 3148220 | Rdr |52 | | WUPA
3149968 | 3152336 | Tag |04 00 | |
3159318 | 3169846 | Rdr |93 70 1e fb 6c 54 dd 4b a2 | ok | SELECT_UID
3171658 | 3175178 | Tag |08 b6 dd | |
3223134 | 3227838 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
3232274 | 3236946 | Tag |57 7a 5a 78 | | AUTH: nt
3243740 | 3253052 | Rdr |83 41 7f f4 2a 99 58 fe | | AUTH: nr ar (enc)
3261968 | 3266704 | Tag |dc 31 cf 8c | | AUTH: at (enc)
3334144 | 3338912 | Rdr |af ea ba 63 | |
| | * | key ffffffffffff prng WEAK | |
| | * |50 00 57 CD | ok | HALT
3342516 | 3343092 | Tag |0f | |
3857594 | 3858650 | Rdr |26 | | REQA
3860206 | 3862574 | Tag |04 00 | |
3869588 | 3872052 | Rdr |93 20 | | ANTICOLLTrace #2. Sniff between really Mifare Classic 1K and smartphone (sony xperia). Read block 0 with valid key FF FF FF FF FF FF
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
3229248 | 3234016 | Rdr |50 00 57 cd | ok | HALT
3275584 | 3276576 | Rdr |52 | | WUPA
3277828 | 3280196 | Tag |04 00 | |
3287216 | 3297744 | Rdr |93 70 1e fb 6c 54 dd 4b a2 | ok | SELECT_UID
3298932 | 3302452 | Tag |08 b6 dd | |
3373296 | 3378000 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
3379636 | 3384372 | Tag |28 1e 96 ea | | AUTH: nt
3391088 | 3400464 | Rdr |d7 6d e4 89 eb 96 5e 1f | | AUTH: nr ar (enc)
3401652 | 3406324 | Tag |7b! 57! 85 d0! | | AUTH: at (enc)
3455152 | 3459856 | Rdr |ab be 22 02 | |
| | * | key ffffffffffff prng WEAK | |
| | * |30 00 02 A8 | ok | READBLOCK(0)
3461108 | 3481908 | Tag |51! df 0c! b7 18 6a db! b4 85! fd! d7 26 03 fa 14 49! 5d b7 | |
| | * |1E FB 6C 54 DD 08 04 00 01 2A D6 A7 C3 42 D8 1D 6F 82 | ok | Trace #3. Simulation Mifare 1K Classic by Proxmark. Read block 0 by ACR122U with valid key FF FF FF FF FF FF
400395578 | 400396570 | Rdr |52 | | WUPA
400398318 | 400400686 | Tag |04 00 | |
400413910 | 400424438 | Rdr |93 70 1e fb 6c 54 dd 4b a2 | ok | SELECT_UID
400426186 | 400429706 | Tag |08 b6 dd | |
403208286 | 403212990 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
403217554 | 403222290 | Tag |b8 2a 14 04 | | AUTH: nt
403223644 | 403232956 | Rdr |93 0b 33 19 f2 30 73 fe | | AUTH: nr ar (enc)
403241872 | 403246544 | Tag |90 f9 a3 cf | | AUTH: at (enc)
403307576 | 403312280 | Rdr |30 00 02 a8 | |
| | * | key ffffffffffff prng WEAK | |
| | * |27 F2 36 2B | !crc|
403326828 | 403347692 | Tag |db! 60! b0 ef! 62! 52! 9b bc! 87! 76 2e! 6f! db! d5! 5e 82 61! 4e! | |
| | * |1E FB 6C 54 DD 08 04 00 01 2A D6 A7 C3 42 D8 1D 6F 82 | ok | Trace #4. Sniff between really Mifare Classic 1K and reader ACR122U. Read block 0 with validkey FF FF FF FF FF FF
351216752 | 351217744 | Rdr |52 | | WUPA
351218996 | 351221364 | Tag |04 00 | |
351234672 | 351245200 | Rdr |93 70 1e fb 6c 54 dd 4b a2 | ok | SELECT_UID
351246388 | 351249908 | Tag |08 b6 dd | |
351508832 | 351513536 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
351515172 | 351519844 | Tag |93 d7 39 56 | | AUTH: nt
351521248 | 351530560 | Rdr |c4 0a fb 77 b6 15 84 d5 | | AUTH: nr ar (enc)
351531812 | 351536484 | Tag |68! 4e! 4b! fe! | | AUTH: at (enc)
351597392 | 351602096 | Rdr |bc 57 55 04 | |
| | * | key ffffffffffff prng WEAK | |
| | * |30 00 02 A8 | ok | READBLOCK(0)
351603348 | 351624148 | Tag |9b 24! 04! 82! 91! b0! df 3c! b2 71 4f! 74 8a 9d 4f dc! b3! 58! | |
| | * |1E FB 6C 54 DD 08 04 00 01 2A D6 A7 C3 42 D8 1D 6F 82 | ok | Offline
#2 2019-03-24 23:06:23
- Eloff
- Contributor
- Registered: 2019-02-08
- Posts: 6
Re: Simulation of 1K mifare tag not works with smartphone
This diff corrects code:
diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c
index 4811a08d..49ed4535 100644
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@@ -3353,9 +3353,11 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
break;
}
- ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
- num_to_bytes(ans, 4, rAUTH_AT);
- EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
+ ans = prng_successor(nonce, 96);
+ num_to_bytes(ans, 4, response);
+ mf_crypto1_encrypt(pcs, response, 4, response_par);
+ EmSendCmdPar(response, 4, response_par);
+
LED_C_ON();
if (MF_DBGLEVEL >= 3) {
Offline
#3 2019-03-24 23:45:41
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Simulation of 1K mifare tag not works with smartphone
Strange, when I use hf mf sim with or without your suggested patch, the simulation works against a valid reader.
Question is if its because current implementation is too slow or that it calculates the parity wrong when encrypting.
Offline
#4 2019-03-25 07:56:13
- Eloff
- Contributor
- Registered: 2019-02-08
- Posts: 6
Re: Simulation of 1K mifare tag not works with smartphone
Yes, any readers like ACR122U works corrected both with or without my patch. Smartphone applications works only with patch.
Traces #2 and #4 contains sniffed data between valid tag. In those traces tag answer "AUTH: at (enc)" too without parity. It is strange, but works everywhere.
And further. Look at trace #3. That contrains wrong order of encoded and decoded reader data. After tag answers
"AUTH: at (enc)" 90 f9 a3 cf
trace log contains already decoded reader command "read block" 30 00 02 a8. Then parser ("trace list mf") decodes already decoded data and shows unknown data "27 F2 36 2B".
Offline
#5 2019-03-25 08:17:21
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: Simulation of 1K mifare tag not works with smartphone
that would be a bug in how sim logs its commands. Since before the changes to trace list which started to try recover key and decode the trace. hf mf sim should log the encrypted data.
Offline